[nathanaldensr]

It's not hypothetical at all. Watch the demos; they clearly demonstrate data being exfiltrated. Additionally, the article mentions several times that yes, the bits/sec is quite low due to several factors. I don't think the author is exaggerating the situation at all.

Would you rather wait for the API to go live and then be abused to steal real data? I would much rather researchers discover and report on possible attack vectors long before they are enabled by default. "Trust by default" long ago proved foolish.

[immutable_ai]

> Although in our proof of concept demonstrations we rely on the assumption that the light conditions do not change during the exfiltration phase, extending the demos to handle these situations shouldn’t be a problem

They say themselves that their demo is not real world and wont work in the real work and then say it "shouldn't be a problem" to make it work.

Not to mention that it takes 20 seconds of flashing the users screen to do the thing (how is that supposed to work without setting off alarm bells).

As I said, they have no proof of a real world vulnerability, only proof it a staged environment, and they readily admit it.

[pdkl95]

> they have no proof of a real world vulnerability

So what. This "default allow" attitude is easily more damaging than any other source of security problems. You (or anyone else) cannot know all of the ways exposing new data could be exploited, or might already be exploited in ways that we are not lucky enough to know about.

Caring about security - which includes the future unknown unknowns you don't yet know to even look for - means minimizing what is exposed to the public attack surface to what is both needed (which does not include anything merely "wanted") and demonstrated/proven to have trivial risk with known limits.